Early Access — All features free while spots last. Join Now

Free public security scan

Non-intrusive, public-data-only assessment of a domain you own or are authorised to test. Score 0–100 + downloadable PDF report.

Scans HTTP security headers, TLS configuration, DNS records (SPF, DMARC, CAA), TCP-connect on standard ports, and the presence of /.well-known/security.txt. No fuzzing, no auth bypass, no content scraping. Limited to 3 scans / hour / IP.

Submit the bare hostname (no https://, no path).

Required confirmations
Get the PDF report by email (optional)

Leave this empty to download the report directly in your browser instead. We never share your address.

Stay updated (optional, separate from the report)

Free, rate-limited to 3 scans per hour per IP. Results are cached for 24 h. Logs (your IP, the scanned domain) are kept 90 days for abuse response and then deleted (Swiss FADP / GDPR).

Frequently asked questions

Is the scan really free?

Yes — completely. No signup, no credit card, no trial timer. The free public scan is rate-limited to 3 runs per hour per IP and one PDF report per email per hour, which is enough for any legitimate posture check and stops abuse from automated mass scans.

Do I need to sign up to use it?

No. You can run the scan anonymously and download the PDF directly in your browser. If you provide an email address we'll attach the PDF to a message and wipe the server-side copy immediately — your inbox becomes the only place the report lives.

What does the scanner actually check?

Five categories: HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy), TLS configuration (cert validity, expiry, supported protocols and ciphers), DNS records (SPF, DMARC, DKIM, CAA), TCP-connect on standard ports (no banner grabbing on closed ones), and the presence of a /.well-known/security.txt file. The scan also enriches version-disclosure headers with CISA KEV / NVD CVE matches when applicable.

Is the scan intrusive? Could it break my site?

No. The scan only uses publicly-available data — the same things a browser or Googlebot would fetch. No fuzzing, no auth bypass attempts, no payload injection, no content scraping. It's a passive posture check, not a penetration test.

How long does it take?

About 30 seconds for a typical domain. The five categories run in parallel and the PDF is rendered immediately after. If you provided an email you'll receive the attachment within a minute of the scan finishing.

Do I need authorization to scan a domain?

Yes. You must own the domain or have explicit authorisation from the owner. We require you to confirm this on the form before the scan runs, and we keep an audit trail (your IP, the scanned domain, the consent timestamps) for 90 days for abuse response — then it's deleted.

What format is the report in?

PDF. The report includes the per-category score breakdown, every finding with severity and concrete remediation steps, and a mapping to compliance frameworks (NIS2, ISO 27001, GDPR / FADP). It's designed to be shareable with non-technical stakeholders.

What's the difference between the free scan and SentriKat Pro?

The free scan is a one-off, public-data-only posture check. SentriKat Pro adds continuous monitoring, agent-based asset inventory, version-verified CVE matching against your real installed software, SBOM exports, NIS2 / ISO 27001 evidence packaging, and SLA-backed support. It runs on-prem or as a managed cloud service.